Start with an event type followed by a where clause for conditions.
2. Filtering
Use where to filter results based on a condition.
3. Event Joining
Use sequence to correlate events in a sequence.
4. Time Constraints
Use until and within to define time constraints between sequence events.
5. Event Type Definition
Define event types to filter on specific log types.
6. Field Comparisons
Use field comparisons to correlate fields within and across events.
7. String Functions
Use string functions like concat, substring, etc., for string operations.
8. Mathematical Operations
Use mathematical operations like +, -, *, / for calculations.
9. Logical Operators
Use logical operators like and, or, not for complex conditions.
10. Pipe Operations
Use `|` to perform operations like filtering, sorting, and counting on the query results.
Examples for Detection Query in EQL
1. Basic Query
process where process_name == "cmd.exe"
2. Event Sequence
sequence by host.id
[process where process_name == "cmd.exe"]
[network where process_name == "cmd.exe" and port == 80]
3. Time Constraint
sequence by host.id
[process where process_name == "cmd.exe"]
[network where process_name == "cmd.exe" and port == 80] within 1m
4. Field Comparison
sequence by host.id
[process where process_name == "cmd.exe"]
[network where process_name == "cmd.exe" and port == 80 and process.pid == process.parent_pid]
5. String Concatenation
process where concat(process_name, " ", process.args) == "cmd.exe /c"
6. Logical Operator
process where process_name == "cmd.exe" and not user.name == "SYSTEM"
7. Mathematical Operation
file where file.size + 100 > 2000
8. Event Type Definition
file where opcode == "create" and file.extension == "exe"
9. Pipe and Count
process where process_name == "cmd.exe"
| count
10. Pipe and Unique Count
process where true
| unique_count user.name
11. Pipe and Sort
process where true
| sort process.start_time desc
12. Pipe and Filter
process where true
| filter process_name == "cmd.exe"
13. Pipe and Head
process where true
| head 5
14. Pipe and Tail
process where true
| tail 5
15. Subquery
process where process_name == "cmd.exe" and
[file where file_name == "evil.exe"]